[OWASP-ESAPI] ESAPI.NET - Allow custom actions

Jim Manico jim.manico at owasp.org
Tue Aug 25 17:38:19 EDT 2009


Also, I want to be able to whitelist all endpoints and request  
parameter names so the moment a "tester" tries params that my app does  
not use, the alarm is sounded. I also want to stop multiple params of  
the same name unless that param is registered as a multi-select list.

Just food for thought (hopefully).

Jim Manico

On Aug 25, 2009, at 5:29 PM, Paul Apostolescu <apbogdan at gmail.com>  

> All,
> I think one useful extension point for ESAPI would be to change  
> intrusion detection actions from being predefined string values to  
> objects implementing a standard interface called IAction (for  
> example). The motivation is that sometimes you need to do more then  
> just a simple logout - for example you may want to trigger a more  
> complex web sso logout.
>  The default implementation will continue to have the already  
> implemented actions but wrapped as IAction instances, and it will  
> also allow consumers to add named custom actions at runtime - much  
> like the validation rules and codes are working today.
> Let me know what you think.
> Thanks
> Paul
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi

More information about the OWASP-ESAPI mailing list